Re: HTTP Unprompted Authentication from Ben Schwartz on 2022-10-18 (ietf-http-wg@w3.org from October to December 2022)

From: Ben Schwartz <bemasc@google.com>
Date: Tue, 18 Oct 2022 12:10:06 -0400
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAHbrMsCWsLsaNXi4J+DbOvpvjxx8m11F0NpgEeZUY34n89hYtQ@mail.gmail.com>

I support the goals of the Unprompted Authentication draft.  In fact, I'm
so supportive that I recently posted a draft that happens to solve an
overlapping problem in a very different way: "Modernizing HTTP Forward
Proxy Functionality" [1].

To step back: confidential HTTP _resources_ are arguably a solved problem.
We can simply place the resource at an unguessable path (e.g. "capability
URLs" [2]).  The problem mentioned by this draft occurs when the HTTP
service is origin-scoped (e.g. it is not a resource).  The only
non-resource HTTP service that I'm aware of is forward proxy
functionality.  Thus, one way to improve confidentiality of proxies is to
make them path-scoped, and this is what the "Modernizing" draft does.

These proposals are not mutually exclusive.  Path-scoped proxies have other
benefits, and unprompted authentication could be useful for other services
with inflexible paths (e.g. .well-known/ resources).  However, given the
overlapping use cases, these drafts should probably be discussed together.

--Ben

[1]
https://datatracker.ietf.org/doc/draft-schwartz-modern-http-proxies/Modernizing
HTTP Forward Proxy Functionality
[2] https://www.w3.org/TR/capability-urls/

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Tuesday, 18 October 2022 16:10:31 UTC